Analysis
-
max time kernel
160s -
max time network
166s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
12-10-2023 09:23
Static task
static1
Behavioral task
behavioral1
Sample
CAMSCANNER_XEROX111023.scr.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
CAMSCANNER_XEROX111023.scr.exe
Resource
win10v2004-20230915-en
General
-
Target
CAMSCANNER_XEROX111023.scr.exe
-
Size
168KB
-
MD5
c04d39e4d40a1ea077e10d2d2b78d25d
-
SHA1
ce37dc7a55e6eb78a7310074136d7b87c44c85eb
-
SHA256
0ef0022fbc09c3770f6ef6268806a7baa2fbd1141cf43144196f9313cf6e2663
-
SHA512
eb41864e2763c1338b39b2617350b0d288a5cd6572a50be84b2b86515a0bc4674518c7fb7b8a0b8412328aea88d6942c3d975951d71c3062f33c46b78029ddea
-
SSDEEP
1536:Apka7KXz5hwQLrR27irlIPOTaAqglHPUstodIKdoUy:ApH7anbXR27iKj9gvmBy
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
mail.avtorska.com.mk - Port:
587 - Username:
[email protected] - Password:
avtorska2014@ - Email To:
[email protected]
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\day1.exe family_snakekeylogger C:\Users\Admin\AppData\Local\Temp\day1.exe family_snakekeylogger C:\Users\Admin\AppData\Local\Temp\day1.exe family_snakekeylogger behavioral2/memory/3980-19-0x00000000001E0000-0x00000000001FC000-memory.dmp family_snakekeylogger -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
CAMSCANNER_XEROX111023.scr.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation CAMSCANNER_XEROX111023.scr.exe -
Executes dropped EXE 1 IoCs
Processes:
day1.exepid process 3980 day1.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 69 checkip.dyndns.org -
Suspicious use of SetThreadContext 4 IoCs
Processes:
CAMSCANNER_XEROX111023.scr.exeCAMSCANNER_XEROX111023.scr.exewhere.exedescription pid process target process PID 4428 set thread context of 1944 4428 CAMSCANNER_XEROX111023.scr.exe CAMSCANNER_XEROX111023.scr.exe PID 1944 set thread context of 3184 1944 CAMSCANNER_XEROX111023.scr.exe Explorer.EXE PID 1944 set thread context of 2708 1944 CAMSCANNER_XEROX111023.scr.exe where.exe PID 2708 set thread context of 3184 2708 where.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Processes:
where.exedescription ioc process Key created \Registry\User\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 where.exe -
Suspicious behavior: EnumeratesProcesses 29 IoCs
Processes:
CAMSCANNER_XEROX111023.scr.exeday1.exeCAMSCANNER_XEROX111023.scr.exewhere.exepid process 4428 CAMSCANNER_XEROX111023.scr.exe 4428 CAMSCANNER_XEROX111023.scr.exe 3980 day1.exe 1944 CAMSCANNER_XEROX111023.scr.exe 1944 CAMSCANNER_XEROX111023.scr.exe 1944 CAMSCANNER_XEROX111023.scr.exe 1944 CAMSCANNER_XEROX111023.scr.exe 1944 CAMSCANNER_XEROX111023.scr.exe 1944 CAMSCANNER_XEROX111023.scr.exe 1944 CAMSCANNER_XEROX111023.scr.exe 1944 CAMSCANNER_XEROX111023.scr.exe 1944 CAMSCANNER_XEROX111023.scr.exe 1944 CAMSCANNER_XEROX111023.scr.exe 1944 CAMSCANNER_XEROX111023.scr.exe 1944 CAMSCANNER_XEROX111023.scr.exe 1944 CAMSCANNER_XEROX111023.scr.exe 1944 CAMSCANNER_XEROX111023.scr.exe 1944 CAMSCANNER_XEROX111023.scr.exe 1944 CAMSCANNER_XEROX111023.scr.exe 2708 where.exe 2708 where.exe 2708 where.exe 2708 where.exe 2708 where.exe 2708 where.exe 2708 where.exe 2708 where.exe 2708 where.exe 2708 where.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
CAMSCANNER_XEROX111023.scr.exeExplorer.EXEwhere.exepid process 1944 CAMSCANNER_XEROX111023.scr.exe 3184 Explorer.EXE 3184 Explorer.EXE 2708 where.exe 2708 where.exe 2708 where.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
CAMSCANNER_XEROX111023.scr.exeday1.exedescription pid process Token: SeDebugPrivilege 4428 CAMSCANNER_XEROX111023.scr.exe Token: SeDebugPrivilege 3980 day1.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
CAMSCANNER_XEROX111023.scr.exeExplorer.EXEwhere.exedescription pid process target process PID 4428 wrote to memory of 3980 4428 CAMSCANNER_XEROX111023.scr.exe day1.exe PID 4428 wrote to memory of 3980 4428 CAMSCANNER_XEROX111023.scr.exe day1.exe PID 4428 wrote to memory of 1144 4428 CAMSCANNER_XEROX111023.scr.exe CAMSCANNER_XEROX111023.scr.exe PID 4428 wrote to memory of 1144 4428 CAMSCANNER_XEROX111023.scr.exe CAMSCANNER_XEROX111023.scr.exe PID 4428 wrote to memory of 1144 4428 CAMSCANNER_XEROX111023.scr.exe CAMSCANNER_XEROX111023.scr.exe PID 4428 wrote to memory of 1944 4428 CAMSCANNER_XEROX111023.scr.exe CAMSCANNER_XEROX111023.scr.exe PID 4428 wrote to memory of 1944 4428 CAMSCANNER_XEROX111023.scr.exe CAMSCANNER_XEROX111023.scr.exe PID 4428 wrote to memory of 1944 4428 CAMSCANNER_XEROX111023.scr.exe CAMSCANNER_XEROX111023.scr.exe PID 4428 wrote to memory of 1944 4428 CAMSCANNER_XEROX111023.scr.exe CAMSCANNER_XEROX111023.scr.exe PID 4428 wrote to memory of 1944 4428 CAMSCANNER_XEROX111023.scr.exe CAMSCANNER_XEROX111023.scr.exe PID 4428 wrote to memory of 1944 4428 CAMSCANNER_XEROX111023.scr.exe CAMSCANNER_XEROX111023.scr.exe PID 3184 wrote to memory of 2708 3184 Explorer.EXE where.exe PID 3184 wrote to memory of 2708 3184 Explorer.EXE where.exe PID 3184 wrote to memory of 2708 3184 Explorer.EXE where.exe PID 2708 wrote to memory of 848 2708 where.exe Firefox.exe PID 2708 wrote to memory of 848 2708 where.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3184 -
C:\Users\Admin\AppData\Local\Temp\CAMSCANNER_XEROX111023.scr.exe"C:\Users\Admin\AppData\Local\Temp\CAMSCANNER_XEROX111023.scr.exe"2⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4428 -
C:\Users\Admin\AppData\Local\Temp\day1.exe"C:\Users\Admin\AppData\Local\Temp\day1.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3980 -
C:\Users\Admin\AppData\Local\Temp\CAMSCANNER_XEROX111023.scr.exeC:\Users\Admin\AppData\Local\Temp\CAMSCANNER_XEROX111023.scr.exe3⤵PID:1144
-
C:\Users\Admin\AppData\Local\Temp\CAMSCANNER_XEROX111023.scr.exeC:\Users\Admin\AppData\Local\Temp\CAMSCANNER_XEROX111023.scr.exe3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1944 -
C:\Windows\SysWOW64\where.exe"C:\Windows\SysWOW64\where.exe"2⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵PID:848
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
96KB
MD571bb9ac16c38c3a80c5d3f804a28e4f7
SHA11451bcd7eba073e6ea9a18c87e0409fc325720a3
SHA256dd0e911ba194186388c0998b83ab216c912b659fff0683343f529ae194ab049c
SHA512b69ad8fd6523e34e5cdf25750b3b5f12db45200e608d0b1e1c5fe6cadeb1a784f8214f2b6032cea1c87c798841012cb457660520391c4d418a089de568229798
-
Filesize
96KB
MD571bb9ac16c38c3a80c5d3f804a28e4f7
SHA11451bcd7eba073e6ea9a18c87e0409fc325720a3
SHA256dd0e911ba194186388c0998b83ab216c912b659fff0683343f529ae194ab049c
SHA512b69ad8fd6523e34e5cdf25750b3b5f12db45200e608d0b1e1c5fe6cadeb1a784f8214f2b6032cea1c87c798841012cb457660520391c4d418a089de568229798
-
Filesize
96KB
MD571bb9ac16c38c3a80c5d3f804a28e4f7
SHA11451bcd7eba073e6ea9a18c87e0409fc325720a3
SHA256dd0e911ba194186388c0998b83ab216c912b659fff0683343f529ae194ab049c
SHA512b69ad8fd6523e34e5cdf25750b3b5f12db45200e608d0b1e1c5fe6cadeb1a784f8214f2b6032cea1c87c798841012cb457660520391c4d418a089de568229798